More Resources

IT Admin Accused of Planting 'Logic Bomb'

A computer administrator upset over the possibility of losing his job planted
an electronic "bomb" in the systems of one of the nation's largest prescription
drug management companies, prosecutors said Tuesday.

If the so-called "logic bomb" had gone off at Medco Health Solutions
Inc., it would have wiped out critical patient information, authorities said.

Even after surviving a round of layoffs, Yung-Hsun Lin, 50, kept the code in
the system and tinkered with it in an attempt to set it off, prosecutors said.
The bug eventually was discovered and neutralized by the company.

U.S. Attorney Christopher Christie said the bomb could have caused widespread
financial damage to the company, and possibly harmed a large number of patients.

Among the targeted databases was one that tracked patient-specific drug interaction
conflicts, prosecutors said. Before dispensing medication, pharmacists routinely
examine that information to determine whether conflicts exist among a patient's
prescribed medicines.

"The potential damage to Medco and the patients and physicians served
by the company cannot be understated," Christie said. "A malicious
program like this can bring a company's operations to a grinding halt and cause
millions of dollars in damage from lost data, system downtime, recovery and
repair."

Lin was arrested at his home Tuesday morning by FBI agents, and was to appear
before a federal magistrate Tuesday afternoon. His arraignment is scheduled
for Jan. 3. He is charged with two counts of computer fraud.

His lawyer, Raymond Wong, said Lin denies introducing any malicious programming
into the computer system. Wong said his client would have known that such an
action could be quickly linked to him.

"He is an administrator; if something happened, it could be traced back,"
said Wong, who added Lin has years of "excellent performance reviews."

Medco spokeswoman Soraya Balzac said the arrest "sends a strong message
that there is zero tolerance for this type of conduct."

The indictment alleges that Lin, who worked in the company's Fair Lawn office,
planted the computer bomb in Medco's servers. It would have wiped out critical
data stored on more than 70 servers, according to Assistant U.S. Attorney Erez
Lieberman. He could not estimate how many patients could have been affected.

In addition to the drug-interaction information, other data on the targeted
servers included patients' clinical analyses, rebate applications, billing and
managed-care processing.

Prosecutors said that when Franklin Lakes-based Medco was spun off from Merck
& Co. in 2003, Lin feared that layoffs would affect him.

Authorities said that on Oct. 3, 2003, Lin created the bomb designed to delete
virtually all data from the 70 targeted servers by modifying existing computer
code and adding new code. It allegedly was set to detonate automatically on
April 23, 2004 -- his birthday.

Due to a programming error, it didn't go off. Even after surviving a round
of layoffs, prosecutors said, Lin modified the bomb's code to have it detonate
on his next birthday. But the company found and disabled it before it could
cause any damage.

Last week, a former UBS PaineWebber systems administrator in New Jersey was
sentenced to eight years and one month in prison for attempting to profit by
detonating a logic-bomb program that caused millions of dollars in damage to
the brokerage's computer network in 2002. The ex-employee, Roger Duronio, also
was ordered to pay $3.1 million in restitution to his former employer, now known
as UBS Financial Services Inc., part of the Swiss banking company UBS AG.